Spam filter tools & Email Security
Email undoubtedly is the most used and effective forms of communication today. Every business relies heavily on email and the internet. However due to the enormous growth of emails, has also resulted in a massive growth in email threats. The obvious ones are viruses, spyware and of course spam. Also there are other issues such as data leakage of confidential information from within the company, bullying, pornography, violence, hatemail, legal and ethical issues all have to be addressed, monitored and controlled. Not to mention other attacks via email such as denial of service attacks, email spoofing and many more.
Email Proxy firewalls or spam filters have been designed to address at least most of the above issues, if not all. Due to the vast amount of spam flying around, businesses look into investing into spam filters. Spam filters look at each individual e-mail and decide whether the e-mail is spam or legitimate. Spam filter software decides upon this using various layers of tools and methods. An example would be, looking at the subject and body of an e-mail message for common spam words such as “Buy Viagra”, “Make money”.
On the left hand menu there is a list of spam security terminology, tools and features used with spam firewalls. If you are looking for a spam filter, take a look at my which spam.
Your email security strategy should cover and filter the below threats;
Viruses, Trojans and bots
Spam and phishing attacks
Confidential data leakage
Illegal and stolen material
Denial of service attacks
Company defined breaches
General immorally and unethically bad email such as hatemail and pornography
E-mail security features - techniques and technologies
Email firewalls should be able to use various defence in depth technologies when analysing harmful email messages. These include common defence technologies addressing connection based control and content based control, as well as other general security aspects.
Connection based control common examples
Denial of service protection – Protection against DOS attacks.
Rate control – Allows you to control how many connections are allowed from the same IP address. A subset to DOS protection.
Sender authentication – Validating and authenticating the sender using techniques such as reverse DNS look up, SPF, and anti-spoofing techniques.
Recipient Verification – This is protection against directory harvesting attacks, using techniques such as verifying users against an LDAP server and ensuring RFC compliant emails.
SPF Sender Policy Framework and Sender ID Validation – If SPF records of the connecting host exist, then these would be checked to validate that the email is coming from where it is suppose to come from, verifying the sender address and preventing spoofed email.
Greylisting – This feature will reject the connection temporarily. The originating server will retry sending the email message after a short period. Spam botnets are not capable of retrying to deliver an email message already rejected, where legitimate email servers are.
Real time IP Blocklist – The connection will be checked against RBL servers to determine whether the connecting IP is a known or suspected spam originating IP address.
BATV (Bounce address tag validation) Address validation – Validating bounce back messages ensuring it is a legitimate bounce back.
Validate sender domain – A reverse DNS lookup is performed against the connecting host.
Blacklisting – You should be able to blacklist a host name, IP address, domain name or email address. You will be able to use wildcards to simplify the process. For example if you wanted to block a list of IP addresses in the 192.168.1.0 255.255.255.00 range, you can type the wildcard 192.168.1.*
Whitelisting – You should also be able to whitelist against a host name, IP address, domain name or email address. You should be able to use wildcards for whitelisting as well. The important key to have in mind is if you were to whitelist an entity, ensure your whitelisting them against spam checks, however still scanning emails for viruses.
Directory Harvesting Protection – Detecting invalid recipients per connection in order to detect and block directory harvesting attacks.
LDAP Integration – By integrating the spam firewall with an LDAP server, your firewall would accept and process only valid recipients living within the LDAP database, though dropping invalid recipients.
Content based control common examples
Anti-virus Engine – Content checked for viruses, some proxies support the use of multiple anti virus engines. Having this facility enables a Proxy to consist of two different anti-virus software packages, where if one fails to pick up a virus, the other may pick it up.
Anti-Spyware Engine – Content checked for spyware
URL Blocklist – The content of the email message is checked for any URL’s registered with a URL database. These URL’s within a database, would have been previously been identified before one or more times for sending spam emails.
Spam signature database – Email message signature is checked to see if one matches within a database of signatures. If matched, then the email message would be classified as spam.
Detection of malformed messages/attachments – The detection of deliberate malformed email messages that are usually used for DOS attacks.
Blocking filetypes (*.vbs, *.exe, etc) – Blocking of certain files.
Defined files to be blocked by checksum – Using a checksum to define which files should be blocked rather than the name provides guarantee the file will actually get blocked. Blocking file types by file names, can prove to be vulnerable because users just change the filename to bypass the system.
Compress or strip attachments by size or type – Deliver the email, however strip dangerous files.
Strip active HTML code from email – Deliver the email, however take out links that could potentially lead to dangerous websites.
Blocking via MIME types (Multi Purpose Mail Extensions) – Blocking of images, video, music and other MIME type content within an email.
Percentage of HTML in message – If too many html is found within an email, it signifies a very spam looking email and some proxies, depending on how they are configured may quarantine or tag the message.
If a message contains an unsubscribe link – Another example of using regular expressions.
Bayesian Analysis – Determine the probability of the email message being spam using the Bayesian algorithm.
Image analysis – Analysing any images within the body of the message. Images such as pornography are dropped or quarantined. Also attachments can be scanned for images.
Off hour delivery – Large emails taking bandwidth and resources, can be parked for delivery out of hours when network usage is at a low. A 20Mb email message going through an email proxy can take time to process, and may even become stuck delaying all other email messages behind it. So it’s a good idea to have a rule such as any email between 10-20Mb, deliver in off peak hours, and anything above 20Mb do not deliver but notify the sender their email is too large.
Expression Lists / Dictionaries – Using words, expressions, sentences, you would configure your proxy to look for within email headers, subject or body, and if found perform an action such as quarantine or drop. For example you can configure your proxy so that if it finds the words “Buy Viagra” in an email message body or subject, the email will be quarantined.
Rule based spam scoring – Proxies will have their way of assigning an email message an overall spam score depending on the overall connection and content control results. If this score is above a threshold, then the email will be quarantined. If the threshold is not met, then the email will be delivered. Sometimes there is an in between where the email has scored around the boundaries of a threshold and tagged as suspected spam. Multiple tools are used such as analysing the headers, content, reputation of sender, etc.
An email message is checked against connection based defence methods and then content based defence rules. Most spam systems require you to install with default and tune your spam settings to suit your company.
Other security features on spam proxy firewalls
TLS Encryption – Securing email when in transit
Hardened operating system – Minimising the chances of an attack via the operating system.
Internal Email scanning – Scanning of email from internal to internal users within the company.
DLP (Data leakage protection) – Ensuring confidential data does not leak out.
Flexible and granular policy settings – Ability to make very granular and customised settings, keeping users secure but ensuring productivity at the same time.
Legal disclaimer – Applying a legal disclaimer for all outbound email.
Diagnostic tools such as Ping, query DNS records, test SMTP connections, Traceroute and others should be supported by a spam proxy firewall. Some spam firewalls also support a single button connectivity test utility which tests all forms of connection to a group of entities such as testing connections to update servers, peer appliances, exchange server, access to console, etc.
It is important to create policies and rules to deal with the largest and most complicated customer requirements using a wide range of content based detection methods. Organisations are also using these same detection methods for internal to internal email scanning, so monitoring emails sent internally within the company.
Other features spam firewalls should support are backup and restore facility, granular and detailed logs, reports and alarms, remote management tools, user rights management, and as already mentioned, troubleshooting tools. Look for aspects such as how granular the reports are; can you filter on certain requirements such as which senders sent the most executable files on particular dates? How many system alarms are supported? Basic alarms would be disk space low, memory low, high CPU usage, updates failed, LDAP sync failed, TLS issues and many others.
If you want to look deeper within how granular features are then you may want to plan and produce a list of all features you require. For example how does the spam firewall handle per user quarantine areas, how many quarantine digests are sent a day to the individual’s inbox, how easy is it to configure informs and notifications for a particular rule. How can reports be accessed and in what form? Common ways are PDF documents, CSV and Email.
Last but not least how customisable and simple the GUI and interface is to use, are you able to produce favourite links or shortcuts to most used settings on the main page?
Simply put email traffic flowing in and out of the company needs to be controlled; you won’t be able to do business otherwise. Also the flow of email within an organisation, internal email should be considered as well. As well as desktops; client machines, laptops, blackberries and mobile phones and other mobile and handheld devices have email capabilities today and should be treated no differently than the standard desktop machines.
Using a reputable and well established spam proxy firewall and following some basic principles, there’s no reason why you cant let legitimate email through while stopping the harmful email threats such as viruses, spam, spyware, trojans, denial of service attacks, phishing, loss of confidential data and in general just offensive, immoral and illegal material.
Wikipedia's guide to Anti Spam Techniques